Beispiel #1
0
// Extracts the info from the binary
func binaryData(artifact *Artifact, filePath string) error {
	if sectionData, libraries, symbols, err := binanal.PEAnal(filePath); err == nil {
		artifact.Format = "pe"
		artifact.Imports = libraries
		artifact.Symbols = symbols
		artifact.Sections = extractSectionNames(sectionData)
		if err := generateColorImage(artifact.ImageDir, filePath, sectionData); err != nil {
			return err
		}
	} else if sectionData, libraries, symbols, err := binanal.ELFAnal(filePath); err == nil {
		artifact.Format = "elf"
		artifact.Imports = libraries
		artifact.Symbols = symbols
		artifact.Sections = extractSectionNames(sectionData)
		if err := generateColorImage(artifact.ImageDir, filePath, sectionData); err != nil {
			return err
		}
	} else if sectionData, libraries, symbols, err := binanal.MACHOAnal(filePath); err == nil {
		artifact.Format = "macho"
		artifact.Imports = libraries
		artifact.Symbols = symbols
		artifact.Sections = extractSectionNames(sectionData)
		if err := generateColorImage(artifact.ImageDir, filePath, sectionData); err != nil {
			return err
		}
	} else {
		artifact.Format = "unknown"
		artifact.Imports = libraries
		artifact.Symbols = symbols
		if err := generateImage(artifact.ImageDir, filePath); err != nil {
			return err
		}
	}

	return nil
}
Beispiel #2
0
// Runs the artifact cataloger
func catalog() {
	// Artifact array to store all the artifacts structs
	var artifactArray []Artifact
	var strains []string
	var mutations []string

	dir, err := ioutil.ReadDir(dirFlag)
	checkErr(err)

	dbgPrint("Calculating SSDEEP.")
	// Calculate ssdeep for all the files and create Artifact
	for k := range dir {
		var element Artifact
		fileName := dir[k].Name()
		fileDir := path.Join(dirFlag, fileName)

		// Get DNA of binary
		hash, err := ssdeep.HashFilename(fileDir)
		checkErr(err)

		element.Ssdeep = hash
		element.Sha256 = fileName
		element.ArtifactDir = path.Join(dirFlag, fileName)
		element.ImageDir = fmt.Sprintf("%s.png", path.Join(imgoutFlag, fileName))
		artifactArray = append(artifactArray, element)
	}

	// Generates the binary info
	dbgPrint("Artifact info extraction.")
	for i := range artifactArray {
		fileDir := artifactArray[i].ArtifactDir
		fullImageDir := artifactArray[i].ImageDir

		// Reads the artifact into a binary array
		binaryArray, err := ioutil.ReadFile(fileDir)
		checkErr(err)

		if sectionData, libraries, symbols, err := binanal.PEAnal(fileDir); err == nil {
			// Check and extract data if PE
			err := setArtifactData(&artifactArray[i], "pe", symbols, libraries)
			checkErr(err)
			generateColorImage(fullImageDir, binaryArray, sectionData)
		} else if sectionData, libraries, symbols, err := binanal.ELFAnal(fileDir); err == nil {
			// Check and extract data if ELF
			err := setArtifactData(&artifactArray[i], "elf", symbols, libraries)
			checkErr(err)
			generateColorImage(fullImageDir, binaryArray, sectionData)
		} else if sectionData, libraries, symbols, err := binanal.MACHOAnal(fileDir); err == nil {
			// Check and extract data if Mach-O
			err := setArtifactData(&artifactArray[i], "macho", symbols, libraries)
			checkErr(err)
			generateColorImage(fullImageDir, binaryArray, sectionData)
		} else {
			// Not a PE, ELF nor MACH-O
			err := setArtifactData(&artifactArray[i], "unknown", nil, nil)
			checkErr(err)
			generateImage(fullImageDir, binaryArray)
		}
	}

	// Genetic selector
	dbgPrint("Genetic classification.")
	for i := range artifactArray {
		var mutsOfStrain []string
		atfNameA := artifactArray[i].Sha256
		isStrA := sliceContains(strains, atfNameA)
		isMutA := sliceContains(mutations, atfNameA)

		// Not a mutation nor strain, set as strain
		if !isStrA && !isMutA {
			strains = append(strains, atfNameA)
			artifactArray[i].Strain = ""
		}

		for j := range artifactArray {
			atfNameB := artifactArray[j].Sha256
			isSelf := atfNameA == atfNameB
			isStrB := sliceContains(strains, atfNameB)
			isMutB := sliceContains(mutations, atfNameB)

			// if A is B continue to next loop
			if isSelf {
				continue
			}

			perc, err := ssdeep.Compare(artifactArray[i].Ssdeep, artifactArray[j].Ssdeep)
			checkErr(err)

			if !isStrB && !isMutB && !isStrA && !isMutA {
				if perc >= thresholdFlag {
					mutsOfStrain = append(mutsOfStrain, atfNameB)
					mutations = append(mutations, atfNameB)
					artifactArray[j].Strain = atfNameA
				}
			}
		}

		// Append mutations of the strain to the strain
		artifactArray[i].Mutations = mutsOfStrain
	}

	// Prints the formatted JSON
	fmt.Println("[")
	for k := range artifactArray {
		jsonBytes, _ := json.MarshalIndent(artifactArray[k], "", "\t")
		fmt.Println(string(jsonBytes) + ",")
	}
	fmt.Println("]")
}